Data Use & Security

uMerit AI uses multiple layers of security controls to protect your data — from the moment it leaves your browser to how it is stored, accessed, and eventually deleted. Our approach covers encryption, access control, infrastructure hardening, and incident response.

We do not sell your data. We do not share it with colleges. We do not use your essays to train AI models.

All data is encrypted both in transit and at rest.

Encryption Standards

• In Transit: All data between your browser and our servers is encrypted using TLS 1.3
• At Rest: Profiles, essays, scores, and application data are encrypted using AES-256
• Database Security: PostgreSQL databases are encrypted at the disk level; access is restricted to authorized services only

Who Can Access Your Data

• You: Full access to view, edit, and delete your data at any time
• uMerit Staff: Limited access for support purposes only, logged and audited
• Third Parties: No access — we do not sell, share, or provide your data to third parties, colleges, advertisers, or data brokers

Authentication

• Secure password authentication with complexity requirements
• Session tokens expire after 30 days of inactivity
• Role-based access control (RBAC) ensures users can only access their own data

• Hosting: Enterprise-grade cloud infrastructure with automatic backups and 99.9% uptime SLA
• Firewalls: Multi-layer firewall protection prevents unauthorized access to servers
• DDoS Protection: Distributed denial-of-service mitigation ensures service availability
• Monitoring: 24/7 automated monitoring detects and alerts on suspicious activity
• Backups: Daily encrypted backups with 30-day retention; data can be restored after system failure

Retention Policy

• Active Accounts: Data is retained as long as your account is active
• Inactive Accounts: If you cancel but do not delete your account, data is retained for 12 months
• Deleted Accounts: All personal data, essays, and application information is permanently deleted within 30 days of account deletion
• Anonymized Analytics: Non-identifying usage data may be retained for product improvement and cannot be traced back to you

How to Delete Your Data

To request full data deletion, email contact@umerit.ai with subject line "Data Deletion Request." We will confirm deletion within 30 days.

uMerit AI is designed to comply with applicable privacy and data protection regulations:

• FERPA (institutional use): We offer data processing agreements for schools and districts to support their FERPA obligations
• COPPA: The platform is intended for users 13 and older. We do not knowingly collect data from children under 13
• GDPR: For EU/EEA users, we comply with data portability, right to erasure, and consent management requirements
• CCPA: California residents may request data access, deletion, and opt-out of data sales (note: we do not sell data)

• We do not sell your data to advertisers, data brokers, or third parties
• We do not share your data with colleges or admissions offices without your explicit consent
• We do not use your essays for AI training or model improvement without anonymization and consent
• We do not track you across other websites (no third-party tracking pixels or cookies)
• We do not send unsolicited marketing unless you opt in

In the event of a data breach or security incident:

• We will notify affected users within 72 hours of discovering the breach
• We will provide details on what data was affected and what actions you should take
• We will report the incident to relevant authorities as required by law
• We will conduct a full investigation and implement additional safeguards to prevent recurrence

For questions about our security practices, data handling, or to report a security concern, email contact@umerit.ai with subject line "Security Inquiry."

Hash Origin Inc. · Delaware, USA